M. Imtiaz Karamat is an IP Osgoode Alumnus and Associate Lawyer at Deeth Williams Wall LLP. This article was originally posted on E-TIPS™ For Deeth Williams Wall LLP on June 29, 2022.

On June 14, 2022, the Government of Canada introduced Bill C-26, An Act Respecting Cyber Security, which would enact the Critical Cyber Systems Protection Act (the CCSPA) to establish a regulatory cyber security framework and improve baseline security for vital public systems and services.

The CCSPA will apply to certain classes of federally regulated entities (Designated Operators) that are involved in four priority sectors: finance, energy, telecommunications, and transport. It is proposed to address outstanding gaps in the current regulatory environment by allowing the Government to (i) designate critical Canadian services and systems and the parties responsible for their protection; (ii) ensure regulated parties are adequately protecting cyber systems and compel action in response to cyber threats; (iii) mandate the reporting of select cyber incidents; and (iv) ensure a cross-sectoral approach to cyber security.

To accomplish the Government’s goals, the CCSPA will impose new compliance and reporting duties on Designated Operators which, among other things, require them to:

• establish a cyber security program that documents the protection plan for a critical cyber system;
• mitigate supply chain and third-party service or product risks;
• report cyber security incidents to regulators; and
• keep compliance records.

The CCSPA provides the Governor in Council with enforcement powers to issue Cyber Security Directions (CSDs) that require Designated Operators to take certain suggested actions regarding the protection of a critical cyber system.  CSDs may be accompanied by specific deadlines and failure to comply may lead to administrative monetary penalties or regulatory offences resulting in fines or imprisonment.